We're Bad At Regulating Privacy, Because We Don't Understand Privacy

from the we're-bad-at-this dept

It's been an interesting year for those of us who support strong privacy for the public -- in part because we've seen lots of movement on attempts to regulate privacy. However, you may have noticed that we've also regularly criticized almost every attempt to regulate privacy. We've been highly critical of the GDPR, Europe's big privacy regulation that is impacting basically every website globally. And we were even more critical of California's disaster of a privacy bill, that was a rush job with tremendous problems. And now that the news has come out that the White House is working on a domestic version of the GDPR (perhaps in an attempt to preempt California and other states from making a mess of things) we should, perhaps, clarify why nearly all attempts at regulating privacy, are likely to be complete disasters.

And I know that many people who advocate in favor of privacy issues are supportive of at least some aspects of these bills. And I completely understand where they're coming from. So let's set some parameters: privacy is incredibly important -- and it's something that is often undervalued by those services that collect other people's private information, and a failure to protect privacy can have massive, life-changing consequences. But, I believe that almost everyone is confused about what privacy really is. We've discussed this a few times before, but I think it's important to recognize that the more we fail to properly understand privacy, the more likely it is that every attempt to regulate it will fail badly, often creating significantly bad consequences that will do a lot more harm than good. That doesn't mean we shouldn't protect privacy, however, and towards the end of this post, I'll suggest a better path forward on that front.

The basic issue is this: privacy is not a "thing," it's a trade-off. Yet, nearly all attempts to regulate privacy treat it as a thing -- a thing that needs "protecting." As such, you automatically focus on regulating "how do we protect this thing" which generally means prohibitions on sharing information or data, or even being willing to delete that data. But, if we view privacy that way, we also lose out on all sorts of situations where someone could benefit greatly from sharing that data, without the downside risks. When I say privacy is a trade-off I mean it in the following way: almost everything we do can involve giving up some amount of private information -- but we often choose to do so because the trade-off is worthwhile.

For example, leaving my house to go grocery shopping involves a trade-off in privacy. Someone could see me and recognize me, and could figure out certain pieces of information about me: what I shop for, what I eat, perhaps generally where I live, and the fact that I'm not home at that moment. They might also be able to spot what kind of car I drive, or divine other information about me from the things that they see me buying. That's all "private" information that is in some way exposed. Now, for most of us, we consider this trade-off worth it. First of all, the potential downside risk is extremely low. We doubt most people would recognize or care who we are, and we doubt that anyone who does so would glean information from this that could be used abusively. Also, the benefits are pretty high (we get the stuff we need). There are scenarios under which that might change (for example, this is why many top celebrities don't do their own grocery shopping -- the privacy "cost" to them is much higher, and thus the trade-off equation is different).

When we move into the digital world, once again, the issue that many people have is that this trade-off equation is a lot more of a gray area, and it makes people uncomfortable. In the grocery example above, for most people it's an easy call: the benefits outweigh the costs by a very large measure. When we talk about online services, what makes some people nervous is that this isn't as clear. And it's unclear for a number of important reasons: the risk of abuse is not clear, so we don't have as good an understanding of the potential costs as doing something like grocery shopping. Similarly, many of the costs appear "hidden" in that online services aren't completely upfront about what data they're collecting on us and what they're doing with it. The benefits still seem to be there -- otherwise why would people be using these services so much? -- but the trade-off equation includes a lot of guesses and uncertainty.

On top of that, we've definitely seen a few cases of information abuse or misuse -- though most of that has been around data breaches, identity fraud or credit card fraud. But, the potential downsides seem much more serious.

And thus, when we're dealing with services online, we're left in a situation that has many people reasonably nervous. And it's not because our privacy is lost or being abused but that we don't have a good sense of the risk of such abuse and thus we can't accurately gauge the the cost side of the equation (we similarly may have more difficulty measuring the benefits side, but that's perhaps less of a big deal here).

When we regulate privacy as a "thing," rather than a "trade-off," however, we end up cutting off many possibilities where people would actually be perfectly happy to trade some information for some larger benefit. This leads to things like rules and restrictions on what kind of information companies can even ask to use in offering services. Even worse, it often leads to rules that give companies who are holding our data even greater control over that data, by including "responsibilities" that actually serve to increasing the power of the companies over the users.

But there are better ways of dealing with all of this, starting with recognizing the idea that privacy is a trade-off. If that's the case, there should be two key concepts for any competent approach to privacy: transparency and user control. As discussed above, many of the problems today (and nearly all of the concerns) are over the lack of transparency. This impacts both the cost and the benefit sides of the equation. If we don't understand what data is being collected or what it's being used for (or how it's being stored), along with what actual benefits we're getting, it's much, much more difficult to make an informed decision about whether or not the trade-off is worth it. And the issue of control is connected to that, in that the more control end users have over their own data, the more they're able to make informed choices in weighing the costs and benefits.

Now, much of the problem here comes from various companies themselves, who for a variety of reasons have decided it's better to have less transparency and less user control involved. Perhaps it's because they feel that if people know the actual costs and benefits, they'll decide it's not worth it. Perhaps it's because it's difficult to provide both the transparency and control that is necessary to make informed decisions. Perhaps they're afraid that transparency and control might also create unnecessary friction leading to poor choices. It's likely to be some combination of these along with multiple other factors as well.

However, when many of the regulatory aspects focus on the "requirements" for companies using data, it often serves to harm the abilities of users to actually control their data. Yes, it may create opportunities for users to delete all of their data as held by a service, but "delete/not delete" is a very crude level of control. A more ideal world might be one where users have a form of a "data bank" which they control, and where they know what data is in there. And, if they want to use a service, that service could explain what data it needs, why it needs that data, and for how long it would like to access it. Then, the user can make a more informed choice, better weighing the trade-offs, and decide whether it will allow access to the data for that purpose, or if it wishes to somehow offer an alternative agreement.

Unfortunately, very few of these "privacy regulations" move us towards such a world, where there is greater transparency and end-user control. Instead, they mostly focus on putting onerous and often extraneous and unnecessary requirements on services to better "protect" data. And, again, all that does is increase their power, limit competition and limit the ability of new services to appear that do provide more transparency and control.

So every time we see new stories about privacy regulations, think about whether or not they'd lead to a world in which end users have more control and more transparency, or if they really seem designed to just put up enough roadblocks that only the largest companies can handle them... and which will likely lock our data even more tightly within those giant entities.

Reader Comments

While I agree with the overall idea, it's kinda hard to achieve such world when multiple companies are building profiles on you regardless of if you want to use their services or not. And frankly, even if all companies offer transparency and opt-ins/outs of their collection and data share my head hurts just thinking how many logins I'd need to create to save such options.

Sure some of the 'solutions' proposed or implemented miss the point but really, it's a mess that will be hard to fix without some overreach. I'd start requiring 3rd-party trackers to be disabled by default unless the user explicitly allows, same domain tracking of brwosing habits allowed by default with options to disable would be a nice start. Some pages are so riddled with trackers and advertisement that if you don't use adblockers they become resource hogs. Currently ArsTechnica is one of the worst offenders, TD has fixed it but it was pretty bad a while back as well.

That large corps can handle it is the solution.

States should focus almost exclusively on the few big corporations, hound them without mercy for the taxes, jailing any executives / shareholders / lawyers who act unlawfully, and worry very little about small sites. The simple way would glean 95% of possible income with 5% the effort of going after every site. Concentrations are VERY handy when looked at right. -- Yes, I know States will still want to go after every site. We need to make them focus on the few getting filthy Rich in large part exactly by using barely legal to illegal advantages over those small sites.

Now, you're already thinking that big corps will scream "selective enforcement!" -- SO? Turn that right round on them, and point to INORDINATE PROFITS due to the efficiencies of scale. It's proportionate enforcement. -- Oh, and JAIL executives / shareholders / lawyers who don't perform as ordered. Prospect of jail is guaranteed to improve behavior of The Rich exactly because they've so much to lose.

Just get your views of The Rich and their corporations right. Corporations are indeed to be tax collectors for the state, period. That's a condition of their very existence: corporations are permitted entities, have ZERO rights because mere fictions, NOT natural. We The People must turn them to OUR benefit, not for the few Rich. A reasonable state would bother citizens very little, but hound corporations without mercy. You cannot cause pain or hardship to corporations: they are fictions. But The Rich use those fictions to rule over you in fact.

You kids just can't think outside the shoe box you've been pressed into -- in large part because believe clowns like Masnick, who were born into the elite and indoctrinated into thinking that serves only interests of The Rich, not yours. They pose as experts but are sheerly money-grubbing parasites laughing at your stupidity in letting them live off your labor.

Key point is to stop thinking that corporations are "persons" with rights, and that everything The Rich say about economics is automatically good for you: they want to Rule over you, period.

Had this ready to go, may be a bit off-focus, but so's MM, as always NOT concerned about The Public but trying to get us to accept rule by corporations. And ANY opposition is always opposed by censoring, so exactly apt doesn't matter.

Re: That large corps can handle it is the solution.

States have little incentive to punish big companies because big companies provide jobs. In fact, many states give subsidies to big companies just to attract them to their state.

I am against capital punishment. However, George Carlin had a great bit about how we need to execute (not send to jail) a white-collar criminal (beheading, on television, with betting, etc). Then see how long it takes for the rest to fall in line.

Re: That large corps can handle it is the solution.

I think while interesting, your comments fail to address on any level the commentary provided by Mike. I am flagging your post not because of your disagreement with the article or your strawman Mike, but its failure to engage the premise of the article or connect to the article in any substantive way. Your post fails to address the privacy trade-off we all face (or privacy at all), and how to provide consumers (aka The Public) more understanding and control of that trade-off. Mike's commentary is in line with his general position that regulation to 'protect privacy' will only lock in the big corporations due to financial and social pressures.

I fail to see how an argument that protecting privacy will only support corporations while harming the consumer is pro-corporation, pro-rich, or anti-'The People'. Perhaps I could have, had you made an attempt to connect your commentary to the article it is piggy backing off of. But this appears to be trying to use a popular site (Techdirt) as a means to host your own unrelated rhetoric, which is either trolling or spam, depending on your viewpoint. If you want to express your own ideas you may set up a wordpress blog and have at. But the commentary section of an article should be to discuss the ideas and opinions and events discussed in the article. Connect your commentary to the article, draw conclusions based on that commentary, I would love to engage you on that level. But I will not address your ideas, because it does not support the discussion on the topic this forum (commentary for this article) is designed for.

I'd like to note something that's skipped over here: the nature of the choice companies/platforms give users. All the transparency and control in the world is useless if the choice offered is "give us permission to do anything/everything or don't use our platform/website". Hobson's choice is no choice at all most of the time.

The problem with privacy in the electronic world is, it needs to be a world wide effort. You can't have 40 different regulations from 60 different countries because there will be conflicts. They all need to come together and work on it. Sadly, it will not happen in our life time.

If you meet someone in the physical world the information exchange is a two way exchange, you see the groceries your neighbour has in her basket while she sees yours. In the "electronic world" it's corporations that prefer to do their dealings in backrooms. Google knows more of you than you'll ever get to know about Google executives.And thanks to the use of computers information can be stored almost indefinitely and be processed and reprocessed at almost zero cost. I see Facebook as a spying company where I don't want any dealings with. But why do so many websites show "like" buttons that tell Facebook that I'm visiting that website?That the privacy regulations have turned bad is in large part to all of those bad actors on the Internet, advertisement networks and other tracking sites. I would love to see the current privacy laws enforced, so that the bad apples are taken out of the basket. Don't forget that the laws can be refined when people and companies agree on a more friendly approach to privacy.

Re:

Laws that attempt to protect privacy are regulations. The passing of laws regarding privacy is the regulation of privacy. Those who do so are regulating privacy.

Regardless of whether you agree with the various attempts at legislation regarding privacy, such as the GDPR, they are still attempts to regulate it. With the GDPR, it's right there in the name: General Data Protection Regulation.

Given that, I don't see how the usage of "regulating privacy" leads to your conclusions, when all that term is doing is calling a duck, a duck.

Re: Re: Re:

I would argue basically the entire problem we are facing is about transparency. User control is implied by transparency as you have the option at that point to refuse the service and let market forces work to create better alternatives. As we stand today, you have no idea if, when you go buy groceries or anything else online or otherwise, that store is turning around and giving or selling the information about you and what you bought to a barrage of spammers who will make your life miserable (or using it for some other even more nefarious purpose).

The way I see it thats where regulation needs to come in because currently the bad effects are external to the market. Companies aren't transparent about this because there really no upside for them. It's incredibly difficult to trace back to the source of the leak when you get unwanted effects from it. People are not able to connect the consequences to the transaction, so companies can benefit from the private data of their customers without having to pay the cost of having customers choose not to use their service as a result.

Also, bullshit - "going out" in the real world has every bit as many safeguards on our privacy as we're seeking in the digital world: sure, if you happen to bump into me it's not illegal for you to see what I might be carrying, but that is only true if in fact you don't actually care, and the incident is purely accidental; if it's intentional, if you wait for me every day at my door and tag along taking notes of what I do that is indeed HELLA illegal, whether you're a private person, corporate officer or government agent unless I'm officially under investigation in a case. I'm also fully within my rights to go out disguised, or arrange some kind of private tinted-windowed means of transport whenever I want to make SURE you don't get to see what I carry or do. So cut the bullshit please because it's mighty smelly.

Re:

It is still illegal to stalk people online. It's not about whether you care or not.

If you have a similar situation to what happens online it's still legal in the real world.. This would be basically a store employee taking down whatever all customers that come in are wearing.. Or the much more likely scenario of getting you to fill out forms of some sort (raffles, credit card apps, warranty registration, etc) and then using that info for purposes that you didn't realize.

Re: Re:

Rewards cards, in-store credits cards, company apps... all of those things are data targeting and consolidation efforts in the real world. They can't tell that you are pregnant if you pay with cash and don't give them any information about who you are.

Re: Re:

...filling out forms...

Many years ago - before PC's became mainstream - I had to submit a change of address to my local government. The clerk doing the data entry misspelled my name. Several months later I started getting junk mail with my misspelled name. So it's not just 'private' businesses that need to be reigned in on what to do with all that information.

Re: Re:

Death of the Google-age

I think you are ignoring one more thing:The sum of the individual components can on its own create more value than the addition of its parts.That has been an argument for why designating something as personally identifyable is silly for a long time. At the same time big data and AI are accelerating the correlaton search and constantly creating more ways to use and abuse data.

I agree completely that if people wants to protect their privacy, they need to give informed consent as opposed to the least legally acceptable, which has been the cookie-clicker-game directive that came before. The best step would obviously rely on how much the companies are willing or able to share about their algos and if we can get a pre-vetted permission table in the browser, websites will respect. But I see no changes, all I see is racists faces. Google is as unwilling as ever to spill any data after they converted to AIs, claiming that they can't share the data because it is an AI...

Be aware of the ePrivacy Regulations making their rounds at the moment since it is another and apparently more serious aspect. As opposed to GDPRs data it deals with metadata and it has got the lobbyists overbooking Bruxelles!

What do you mean "we" white man?

"privacy is not a "thing," it's a trade-off."

No. It isn't.

Privacy is thing of negative space. Much as freedom is the absence of tyranny, privacy is the absence of intrusion. Which is to say that the things that violate privacy can be clinically measured, and the that measurement is adequate to define the space in which the freedom recognized by the 4th amendment exists.

You equivocate a lot on this to make your ego feel better for selling your readers data to dubious sources. Just own it. You don't support the 4th amendment.

"think about whether or not they'd lead to a world in which end users have more control and more transparency"

That sounds a lot like: "Please don't fuck up the status quo because it will piss in my corn flakes."

How about this instead:

We already have statutes that are sufficient to prosecute industrial interference with civil rights. They are being violated. Nobody is being prosecuted because the state is corrupt. Attempts to create new regulations, serve nothing but to entitle existing abuses by encoding them into law.

Re: What do you mean "we" white man?

sigh

privacy is the absence of intrusion

And you are trading some of your privacy (e.g. allowing intrusion) for convenience every time you step out in public, whether that is to buy groceries, go to a movie, or whatever else you may do outside your own home. Heck, having a home is even a sacrifice of some privacy, partially because it's a large building that is publicly visible, but also because you likely had to go through a lot of financial checks to get a loan to buy the house. Hence privacy is a trade off, your description of it just reinforces that fact, not disprove it.

freedom recognized by the 4th amendment

Much like the 1st Amendment, the 4th only applies to the government. A corporation or other non-governmental entity isn't bound by the 1st or 4th Amendments. And before you get your panties in a twist, no, that doesn't mean a corporation can come into your home and take whatever they want, that's called stealing and there are other laws against that but it has nothing to do with the 4th Amendment.

You don't support the 4th amendment.

Citation needed

That sounds a lot like: "Please don't fuck up the status quo because it will piss in my corn flakes."

Actually it sounds more like: "Please think about what you actually want to achieve and whether or not supporting the current legislation will accomplish that".

We already have statutes that are sufficient to prosecute industrial interference with civil rights

We do? Where? Not seeing any that apply to specifically to digital information.

They are being violated.

The statutes or our privacy?

Nobody is being prosecuted because the state is corrupt.

Well, there are a lot of corrupt politicians, but there are also ones who aren't. Regardless though, there are no hard laws against selling your web browsing history to the highest bidder. In fact, Congress and our glorious leader voted to do away with just such regulations a few years ago. You may have heard of it, it was part of Tom Wheeler's 2015 Open Internet Order.

Attempts to create new regulations, serve nothing but to entitle existing abuses by encoding them into law.

I'm confused, making a law that makes an action illegal just further entitles and encourages said action? So because we have laws against murder and theft, that is just encouraging everyone to kill and steal? So we should make it legal to kill and steal and that will stop all murders and thefts? Wow, I didn't realize the solution was so simple.

It would appear you have a grudge against this site for unknown reasons. Maybe try some facts next time you want to take it down a peg?

Re: Re: What do you mean "we" white man?

"Hence privacy is a trade off, your description of it just reinforces that fact, not disprove it."

You have me! I am completely undone! /sarc. The founders wrote volumes on human and civil rights. If your going to declare that the basis of constitutional law invalid because it is inconveinient for you to grok what they meant, and reconcile it with digital media, I could help you with that. But I'd have to charge you for it.

"Citation needed"

The article above is just a recent example. Not going to pull the other ones out. Not your database administrator.

"The statutes or our privacy?"

Yes.

"We do? Where? Not seeing any that apply to specifically to digital information."

The word "digital" is not prerequisite to establishing standing. Not that it is neccessary, because having read my states computer intrusion laws, they are more than adequately broad to prosecute. No I'm not going to cut and paste. Not your law clerk.

"I'm confused, making a law that makes an action illegal just further entitles and encourages said action?"

What gives you the idea that the legislation that presumes to make something illegal, will actually do what its authors say it will? The federal and state codes are filled with obtusely worded laws that create basis for commercial intrusion, while in their title and on their surface appearing to be restrictive. Yes I could quote you a few, no I'm not going to. Not your law clerk.

"Maybe try some facts"

TDs zeal for the first amendment, is clearly not matched by zeal for other parts of the document. Sufficed to say, that it quotes all kinds of bench law, but when it comes to the 4th amendment, you get articles that say: "it's a trade off" or some other equivocation.

The founders recognize privacy as a human right. Maybe you should consider that before you try and take THEM down a notch.

Re: Re: Re: Re: Re: What do you mean "we" white man?

Re: Re: Re: What do you mean "we" white man?

The founders recognize privacy as a human right. Maybe you should consider that before you try and take THEM down a notch.

Did they define privacy? There is some definition, but there is also a lot of contention as to what privacy actually means, and as to where it applies.

The fact is, that the Constitution applies to the government, not to private actors, which would include corporations. If you want privacy to protect you from corporations, the get Congress to do something. Not the something that corporations want (good luck seeing they have a bigger voice in Congressional actions than constituents), but something that is actually for the people. And while you are at it, remember that some 'private' information is not actually harmful, and its use to 'commoditize' certain collections, might actually be a good thing. Now, I for one, certainly want to know what information is being collected, how it is being used, to whom it is being distributed to, and how to opt in (which should be the standard) or opt out, and still receive the service.

Third parties to that collection should be illegal and forcefully enforced. There is no opportunity to opt in or out when an actor with whom you have no relationship with is collecting, and distributing stuff they have no actual right to. They get it because it's there and can be gotten. Better encryption of the whole Internet might help here, and HTTPS helps in that arena. There may be better methods that those who know about Internet security would be in a better position to suggest and explain.

Re: Re: Re: What do you mean "we" white man?

Glad you agree, especially since you don't actually have facts to prove me wrong so you're just going to attack me and ignore any arguments you find inconvenient. Typical.

I addressed your 4th Amendment arguments as well, but obviously you ignored them. Again, the 4th Amendment only applies to the government, NOT corporations. That alone should be enough to disprove your entire rant. Perhaps you are the one who doesn't "grok" what they meant.

The article above is just a recent example.

And as I pointed out, the article above is NOT an example of what you claim. Therefore the burden of proof is on you. I can search TD and find many articles where they DO support the 4th (see any article they've written on asset forfeiture), perhaps that's why you won't provide any further evidence? Because you have none?

Yes.

Alright then, that's one thing I can probably agree with you on, though likely not to the extreme you're suggesting.

The word "digital" is not prerequisite to establishing standing.

Actually, it is in many cases, not all, but a good many, since the digital world does not always work the same as the traditional analog history we are used to. That's why there are specific laws such as the CFAA and Telecommunications Act, and so on and so forth.

Not your law clerk.

No, but the burden of proof rests with you, not me, since you are the one making the accusations.

What gives you the idea that the legislation that presumes to make something illegal, will actually do what its authors say it will?

Because words have meaning and when encoded as law you can be arrested and prosecuted for breaking them? Seriously? This is your argument? By that logic then the Constitution is absolutely WORTHLESS, because it's just a bunch of words, "how do you know it will actually do what its authors say it will?". See?

Yes there are some laws that say they will do one thing while actually doing something different, but you've yet to provide any evidence that is the case here. Meanwhile I've provided evidence that some, if not all, of your arguments are false.

Yes I could quote you a few, no I'm not going to.

Maybe you should, it might actually prove you know what you're talking about.

TDs zeal for the first amendment, is clearly not matched by zeal for other parts of the document.

Then you obviously haven't read TD much or are deliberately ignoring their articles that deal precisely with the 4th as well as other parts of it. Maybe try some facts next time.

The founders recognize privacy as a human right.

Yes they do.

Maybe you should consider that before you try and take THEM down a notch.

And the only law they put in the Constitution about it was a restriction on the government. Because back then, the government was about the only organization large enough to intrude on your privacy in any meaningful way. If anyone else wanted to, they would have to break into your home, or spy on you with a telescope or something. They had no idea that in a few hundred years, your privacy could be invaded by simply purchasing and using a device that could store all your medical and financial data, as well as track your purchasing habits and real-time geo-location.

Re: Re: Re: Re: What do you mean "we" white man?

"No, but the burden of proof rests with you, not me, since you are the one making the accusations."

You are absolutely right in that. While I acknowledge the void, I emplore you to consider the possible reasons for it, and not to post them.

"And the only law they put in the Constitution about it was a restriction on the government"

John Hancock didn't have his cargos seized by the king. They were seized by the exchequer on behalf of the kings lawfully decreed private monopoly. Much as citizens privacy rights are being usurped by state mandated telecom monopolies today.

Statutory code is obliged to take into consideration the natural law from which the Constitution is derived, and judicial oversight often does from the bench. In fact from what I've read of the UCC, it is extraordinary how far it goes to preserve impartiality.

To say that we need "privacy regulations" is to say that the existing impartiality of the courts and of the law is insufficient. But how could that be so, if it has not be tried in court?

But all that aside. The questions at hand is: "Is there technology being broadly implemented that violates existing statues?"

That question requires some understanding of both. The assumption to date, is that because I haven't demonstrated that by enumerating them, that I am full of shit. Maybe so.

But the cost differential if I am vs. if I'm not is significant. Further the cost to the public from such an enumeration being disclosed publicly prior to litigation commencing, is also signficant.

This should be persued. It will be lucrative for the attorney who persues it. I am not such an attorney. All I can do is hope to inspire one without fragging his or her opportunity for success in the process.

Re: Re: Re: Re: Re: What do you mean "we" white man?

You are absolutely right in that.

Thank you. Now that we are in agreement, please provide evidence to back up your claims.

John Hancock didn't have his cargos seized by the king.

Oh really? First off, what does this have to do with anything? That was a foreign government doing the seizing, not the American government. And are you saying that the HMS Romney that did the actual seizing wasn't a ship in the Royal Navy?

They were seized by the exchequer on behalf of the kings lawfully decreed private monopoly.

You mean the official Boston port run by the king's appointed Board of Commissioners? That "private monopoly"? Oh yes, that makes all the difference, a government appointed board that reports directly to the king and official government is absolutely a "private monopoly". NOT.

Regardless of any of that, it was still being mandated by the government. Corporations selling your data is not mandated by the government, they are doing that on their own. Please, do read up on history a bit more.

To say that we need "privacy regulations" is to say that the existing impartiality of the courts and of the law is insufficient. But how could that be so, if it has not be tried in court?

The law doesn't say they can't sell our data and Congress struck down new regulations that would have prohibited companies from selling our data so what the hell are you talking about?

Re: What do you mean "we" white man?

No. It isn't.

That's compelling. I really like how you presented a thesis to explain why I was wrong and then backed it up with explanations and data and such, rather than just asserting I was wrong without backing it up at all.

Privacy is thing of negative space

No. It isn't. <---- Am I doing this right?

Much as freedom is the absence of tyranny, privacy is the absence of intrusion.

That's not what privacy means at all.

Which is to say that the things that violate privacy can be clinically measured, and the that measurement is adequate to define the space in which the freedom recognized by the 4th amendment exists.

Okay. How do we measure privacy? What is the metric? Where can I look up my privacy score?

Separately, what does the 4th Amendment have to do with this?

You equivocate a lot on this to make your ego feel better for selling your readers data to dubious sources. Just own it. You don't support the 4th amendment.

What?!? You must be new here. For years, we've been going to bat for the 4th Amendment. But, hate to break it to you, the 4th Amendment has literally fuck all to do with privacy as it relates to private corporations.

That sounds a lot like: "Please don't fuck up the status quo because it will piss in my corn flakes."

If that's what it sounds like, you have no clue about anything. Seriously. Thinking through the broader impact of a law sounds like that to you? Are you serious? Obviously you are not.

We already have statutes that are sufficient to prosecute industrial interference with civil rights.

Name them.

They are being violated.

Which laws and by whom?

Nobody is being prosecuted because the state is corrupt.

I don't disagree with the state being corrupt, but the idea that we're not currently prosecuting privacy violations is laughable.

Attempts to create new regulations, serve nothing but to entitle existing abuses by encoding them into law.

That may or may not be the case. It certainly depends on the situation, but this kind of language is the kind of language frequently used by clueless internet commenters high on YouTube idiots who don't know shit about the law. Prove that you actually know something, otherwise I think it's clear that we can dismiss you're uninformed nonsense for what it is.

Re: Re: What do you mean "we" white man?

"rather than just asserting I was wrong without backing it up at all."

I don't get paid for this comment. Incidentally, YOU get paid for this comment. Clearly the yield doesn't justify your request. And you know how much work that is, so you knew when you made the demand how unreasonable it was.

There are easily a half dozen commonly implemented architectures out there right now, that are simple enough to explain to a jury, and that violate state statutes. And from what I know about you, you're almost assuredly aware of that.

I agree with you that legislation isn't the solution. The reason I agree with you, is that such an effort is more likely to insulate the existing players, who are at this time exposed. Given the scale of the violations, and the corresponding potential for award, it is simply fiscally irresponsible. I'd much rather the state fund its general budget by protecting citizen rights, than spend money depriving citizens of them.

I read most of what you post on TD, and have listened to some of your podcasts. When to comes to privacy issues you are not populist. That is just an unsupported opinion. But you know as well as I do, that the difference between unsupported and supported, is the time it takes to support, not the validity of the position.

I may take your demand. Of course that degree of work compels a different venue. That isn't intended to be an insult, just acknowledgement of the value.

Re: Re: Re: What do you mean "we" white man?

I don't get paid for this comment. Incidentally, YOU get paid for this comment. Clearly the yield doesn't justify your request. And you know how much work that is, so you knew when you made the demand how unreasonable it was.

What kind of word salad nonsense is this? What does whether someone gets paid for something or not have to do with anything? And why do you think he gets paid for making comments? The whole thing is just nonsensical.

There are easily a half dozen commonly implemented architectures out there right now

Name one.

such an effort is more likely to insulate the existing players, who are at this time exposed

Oh yes, so exposed that they can do whatever they want with our data without fear of reprisal or punishment, yep, sounds exposed and not insulated to me. NOT.

Seriously, you are arguing against any regulation because you think it will just make things worse. If that's the case then ALL laws are bad because they just make things worse. And that includes the Constitution. You can't say all laws and regulations are bad without throwing out the good ones as well. I'll agree it would be great if we could do this without legislation, but you aren't providing any solutions either. Plus you follow all this up with:

I'd much rather the state fund its general budget by protecting citizen rights, than spend money depriving citizens of them.

So which is it? Do you want regulation or don't you? You just contradicted your earlier statement that any regulation is only going to make things worse.

I may take your demand.

That you actually know what you're talking about and can provide evidence to back up your nonsensical claims? Good, about time.

Of course that degree of work compels a different venue.

Why? Comments here support URL links, post some links to laws, facts, and other evidence to support your assertions.

Re: Re: Re: What do you mean "we" white man?

There are easily a half dozen commonly implemented architectures out there right now, that are simple enough to explain to a jury, and that violate state statutes. And from what I know about you, you're almost assuredly aware of that.

Re: Re: Re: Re: What do you mean "we" white man?

Why should I? So you can flip through some user manuals, RFC's, and some online statuory code, and then endear yourself to some of your exec pals and their respective loss prevention departments? Good way to sell a data feed I'd guess.

Nope. Not your law clerk. Not your technician. I'll take your feigned ignorance for what it is.

This has been a useful exercise. At least now I know what side your going to be on when the hammer drops.

Re: Re: Re: Re: Re: What do you mean "we" white man?

Why should I?

Because you are making baseless accusations that have no basis in reality and people familiar with those "commonly implemented architectures" are calling you out on your BS. Therefore, if you want us to come around to your point of view, you're going to have to provide evidence that you're right, because we've searched, researched, and looked, and we don't see any evidence of what you're babbling on about.

then endear yourself to some of your exec pals and their respective loss prevention departments?

What? Where did that even come from and what does it have to do with any of this?

Good way to sell a data feed I'd guess.

Again, what?

Nope. Not your law clerk. Not your technician.

You don't have to be. But if you're going to make wild, baseless claims that aren't backed by fact, then you're going to have to provide evidence yourself if you want anyone to take you seriously.

I'll take your feigned ignorance for what it is.

And I'll take your refusal to provide any evidence of your claims as that you actually have none and are simply lying through your teeth.

This has been a useful exercise.

Perhaps you meant worthless?

At least now I know what side your going to be on when the hammer drops.

Yes you do. Though what hammer you think is going to drop is beyond me. Mike and the rest of us have clearly stated where we stand, we can't help that you choose to not live in reality with the rest of the world.

Re: Re: Re: Re: Re: What do you mean "we" white man?

Let's be 100% clear here so we can call out your trolling for what it was. You made a completely baseless claim, which anyone with any knowledge of privacy laws knows is false: that there are already tons of statutes on the books concerning privacy that social media sites violate everyday, but magically (despite all the public concern and handwringing over this) no one will actually try to use those laws.

That's quite a claim. Especially when you present no evidence to support it.

I asked you merely to name ONE single statute to prove your point.

You refuse to do so.

Okay. On with your nonsense.

Why should I?

Because you made an extreme claim that literally no one else here believes and which you would back up by naming a single statute on the books... but you refuse to do so.

So you can flip through some user manuals, RFC's, and some online statuory code, and then endear yourself to some of your exec pals and their respective loss prevention departments?

What?

Good way to sell a data feed I'd guess.

What?

Nope. Not your law clerk.

Not asking you to be a law clerk. Asking you to NAME ONE THING that backs up your claim WHICH YOU MADE in the first place.

The fact that you refuse to do so means you're a troll.

This has been a useful exercise. At least now I know what side your going to be on when the hammer drops.

Re:

Even if we assume going out of your house consititutes a "privacy trade-off," it still wouldn't be equivalent. Going out of your house is necessary to do great many things in life. Corporations spying on your internet use to build secret databases for who knows what purpose is not necessary for anything.

The biggest issues of online privacy aren't about companies asking for data, but demanding it or worse, collecting it on the sly. Asking always includes the chance to refuse, which is unfortunately often missing.

Requiring companies to ask for data rather than "collect it all" is a good thing. And while I agree the option to delete all your data isn't always the best option, it's better than no option at all.

Nor do I consider requirements of adequate security concerning the storage and handling of user data to be at all unreasonable.

I do therefore believe these regulations are, while not perfect, still improvent over the previously existing condition.

Trade-off?

The argument is a bit simplistic, the privacy issue is about much more than just a simple trade-off.

Instead of a grocery store example, let's say I have erectile disfunction and I share that with my doctor so I can get some Viagra. If that information remains between me and the doctor, that is a trade-off.

But it's a very different issue if I go home and there's a post about my purchase on Facebook, "Coyne is using Viagra, you should, too."

A trade-off is when I make a deal I make for a specific benefit. The biggest problem nowadays is that I have no idea who I'm making a deal with, or the extent of the sharing involved in the deal.

The basic issue is this: privacy is not a "thing," it's a trade-off. Yet, nearly all attempts to regulate privacy treat it as a thing -- a thing that needs "protecting." As such, you automatically focus on regulating "how do we protect this thing" which generally means prohibitions on sharing information or data, or even being willing to delete that data.

I think you still don't understand privacy and what the risks are. Your grocery example is a pretty good example for it.

Re: Re:

Because the survival of your business depends on you not understanding it. It’s disgusting that you would attempt to relate the things you have here. You’ve become a poisoned well, a surveillance apologist, disguised as something else. The numerous shill commenters for corporate power and control have become overt, and you push the same think tank propaganda garbage as they do. I remember when you where less compromised, I miss that Insightful writing.

Re: Re: Re:

Re: Re: Re:

Because the survival of your business depends on you not understanding it.

How so? I think more people would be shouting "hell yeah" if I jumped on the bandwagon that says "regulate the internet giants to hell for privacy violations!".

It’s disgusting that you would attempt to relate the things you have here.

I'm sincerely interested in how my discussion is disgusting? I can see disagreeing with it, but what is "disgusting" about it?

You’ve become a poisoned well, a surveillance apologist, disguised as something else.

In what way have I become a surveillance apologist? I am very much against surveillance and have made that clear for years. Indeed, my ideas for how to deal with company snooping is put the power and the data back in the hands of the end users, to decrease surveillance.

The numerous shill commenters for corporate power and control have become overt, and you push the same think tank propaganda garbage as they do.

What?!?

I remember when you where less compromised, I miss that Insightful writing.

Can you explain how I'm "compromised"? I must have missed the memo.

As a general note, you can disagree with someone without insisting that they are a sellout and "compromised." That you immediately make such bullshit assumptions about someone just because you disagree with their position says a lot more about you than it does me.

Re: Re:

One problem is that "Alice told her neighbor she saw Bob at the grocery store" is almost entirely dissimilar from the things people are complaining about. Nobody's ever suggested regulation on that. It's like when the police want to search someone's phone, claiming it's similar to a briefcase, and we say "no it's not, because nobody carried their entire life in a briefcase".

Chance encounters ain't the same fucking ballpark as corporate surveillance. A person used to produce a few datapoints per day, each accessible to a different limited subset of people, often hidden among unreliable gossip. If a newspaper had chosen an ordinary person then, and published as much information as Facebook collects now, there would have been outrage. We didn't have that much information on anybody—seriously, compare an old Stasi or FBI file to a Facebook data export.

Is it a Thing or a Trade-off? It's neither

While I think the Thing vs. Trade-off concept has value, it's too abstract to think in terms of a trade-off. It might be easier to approach privacy as a price.

Just as the price I pay to go to the store to pick up a tub of Chunky Monkey includes the fact that people will see where I go, when I go there, how I got there, what I bought and just how bad my fashion sense is, the price I pay for using the internet is much more than the $90 or so per month I pay Cox for the connection.

Even worse, the cost for using a "free" service such as Facebook includes practically all my internet activity: websites visited, emails sent, emails received, torrents accessed, searches performed and how many 55-gallon drums of lube I have bought from Amazon. And, don't forget the metadata: when and how often I log on, how long I spend on each page, how much data I consume, etc.

The problem lies in valuing this information. I think most people undervalue it, likely due to not understanding the consequences of this data gathering. So, let's project out a few years and see where all this leads to.

Companies will start using AI (if they're not already) to analyze this data and take action. Imagine that an AI notices that I seem to be preparing to take a vacation. This AI uses Google Duplex-style technology to call me up and let me know that it has some excellent deals on vacation packages. Before I know it, I'm sitting in a timeshare presentation. How much do you think a timeshare company would pay for such a pre-qualified lead?

Or, the AI notices that people who move from larger digs to smaller ones many times end up buying a shed for the backyard because they need the extra space. So it contacts people right after they move and recommends not only a shed with "free" installation, but where to put it in the yard and a color scheme that matches the new house. Then, it schedules delivery of the materials and a construction crew to install it. Now, you've got the AI doing the actual selling and making all the commission for the company that owns the AI.

These are the "ethical" uses of this private information. How long until AI is calling up married, rich philanderers with the name and date of every hotel check in along with video from insecure video cameras of him and his various dates walking in to the hotel asking for hush money so that the wifey doesn't find out. Using facial recognition, the AI can double-dip by pulling the same thing on any of his dates that are married or dating. And, of course, the monetary demands will be set according to income.

Today, the above is still in the realm of science-fiction, but in 10 or 15 years, I expect they will be commonplace.

So, how do we avoid such scenarios? I'm not sure that we can. But, if there is a solution, it will likely require more than a "data bank" that is controllable by the user. (Nice idea, BTW, but wholly inadequate for the above scenarios.) It will likely require completely re-architecting the internet itself to bake privacy into the protocols.

So, ultimately, it's not a trade-off. It is a very high price that we are paying. The more that people realize how high a price that can be, the less they will be willing to share their information for any benefit whatsoever.

Re: Is it a Thing or a Trade-off? It's neither

..it's too abstract to think in terms of a trade-off...

A critique of being 'too abstract' is not meaningful in this context. Is the commentary reasonable? Does it grapple with the complexity of the issue in a way that can be built on?... This response seems like Concreteness Bias. Concrete assessments are not inherently more right or more real than abstracted ones.

It might be easier to approach privacy as a price.

Why is it 'easier'? Why is 'easier' better? What is "hard" about what Mr. Masnick wrote?

Just as the price I pay to go to the store to pick up a tub of Chunky Monkey includes the fact that people will see where I go, when I go there, how I got there, what I bought and just how bad my fashion sense is, the price I pay for using the internet is much more than the $90 or so per month I pay Cox for the connection.

Even worse, the cost for using a "free" service such as Facebook includes practically all my internet activity: websites visited, emails sent, emails received, torrents accessed, searches performed and how many 55-gallon drums of lube I have bought from Amazon. And, don't forget the metadata: when and how often I log on, how long I spend on each page, how much data I consume, etc.

The problem lies in valuing this information. I think most people undervalue it, likely due to not understanding the consequences of this data gathering. So, let's project out a few years and see where all this leads to.

You've recasted this with economic thinking, an analytical tool. Its a possible tool for some later stage. Good thoughts though. The value of 'the masses' data is arbitrarily devalued in a way similar to the devalue of labor... But, again, we've gotten ahead of ourselves. This article is addressing the fundamentals of privacy and the reality of a changing world with changing capabilities.

Companies will start using AI (if they're not already) to analyze this data and take action. Imagine that an AI notices that I seem to be preparing to take a vacation. This AI uses Google Duplex-style technology to call me up and let me know that it has some excellent deals on vacation packages. Before I know it, I'm sitting in a timeshare presentation. How much do you think a timeshare company would pay for such a pre-qualified lead?

Or, the AI notices that people who move from larger digs to smaller ones many times end up buying a shed for the backyard because they need the extra space. So it contacts people right after they move and recommends not only a shed with "free" installation, but where to put it in the yard and a color scheme that matches the new house. Then, it schedules delivery of the materials and a construction crew to install it. Now, you've got the AI doing the actual selling and making all the commission for the company that owns the AI.

These are the "ethical" uses of this private information. How long until AI is calling up married, rich philanderers with the name and date of every hotel check in along with video from insecure video cameras of him and his various dates walking in to the hotel asking for hush money so that the wifey doesn't find out. Using facial recognition, the AI can double-dip by pulling the same thing on any of his dates that are married or dating. And, of course, the monetary demands will be set according to income.

Today, the above is still in the realm of science-fiction, but in 10 or 15 years, I expect they will be commonplace.

As our technological abilities increase the lessons of our collective humanity come to the forefront. What is ethical, what is "civilized", what is cruel or abusive, what is possible, what is actual progress, and many other questions have to be reevaluated as time passes. If we don't, at (optimistic) best, we are left with reflexive human behavior and whatever chaos that brings. Social Mechanics, like many other forces is subject to inertia. Injecting some wisdom now will make good future outcomes more likely. We may even being able to avoid the AI abuse described.

So, how do we avoid such scenarios? I'm not sure that we can. But, if there is a solution, it will likely require more than a "data bank" that is controllable by the user. (Nice idea, BTW, but wholly inadequate for the above scenarios.) It will likely require completely re-architecting the internet itself to bake privacy into the protocols.

So, ultimately, it's not a trade-off. It is a very high price that we are paying. The more that people realize how high a price that can be, the less they will be willing to share their information for any benefit whatsoever.

This whole comment doesn't really contradict Mr. Masnick. I suspect that Mr. Strosnider is more comfortable with a response that is expressed in an arbitrarily concrete style. I find Mr. Masnick's 'abstract' handling to be proper enough, though it is missing something I can't put my finger on right now. I was hoping the comments would help.

Re: Re: Is it a Thing or a Trade-off? It's neither

Have you never heard the expression "freedom isn't free"? Our freedom today was bought and paid for by blood multiple times over the last 200 years.

Some guys used to say that a long time ago. It didn't end well.

I guess that depends on your definition. The British would certainly say it didn't end well, for them. It didn't end well for Hitler either, and it definitely didn't end well for Japan. America still has most of her freedoms intact, though even those are under attack right now.

Freedom requires vigilance and there is always a price to pay for that vigilance.

What freedom has to do with privacy in this context is unclear. Maybe you need to learn to read or how to be intellectually honest?

One problem I find with your real world analogy, is that unlike how things are in the physical world, data can be perfectly copied without any value being lost from the original: Whereas after I am done with my groceries I can go back home and can be sure that the moment I close my door, no one outside can see my position anymore nor tell what is in my groceries bag, I fail to see how that can be applicable to a personal data bank so that access to private information by online services can be limited and timed...but then again, I am not the most knowledgeable person when it comes to this domain...